GSS-API and libkrb5 behavior for Anonymous tickets

Greg Hudson ghudson at MIT.EDU
Wed Nov 4 16:43:23 EST 2009

On Wed, 2009-11-04 at 16:13 -0500, Sam Hartman wrote:
> However, I disagree fairly strongly unless this is going to be
> accompanied by an update to 2743.  My argument is that it breaks
> conforming GSS-API applications.  If I'd prefer anonymous but would be
> willing to accept an authenticated context, then I would end up
> failing with your mechanism.  If I'm writing a portable application I
> have to check the output flag anyway, even if some mechanisms do offer
> this behavior.

I agree with Sam.  I don't see any point in providing safety that
applications can't rely on.  It seems like it would only encourage apps
to improperly rely on gss-krb5's safety and then be unsafe if used with
a different mechanism.

More information about the krbdev mailing list